gitsafehub
github.com/0x192/universal-android-debloater ↗

0x192/universal-android-debloater

scanned 2026-05-29 · git 11f27c6
2 of 6 checks flagged a security issue
🟡 Worth a look
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies7Known OSS vulnerabilities23Risky code patternsMalicious dependenciesProject health12

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 7 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2024-12224 Improper Validation of Unsafe Equivalence in punycode by the idna crat ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
  • Worth fixing CVE-2025-4432 A flaw was found in Rust's Ring package. A panic may be triggered when ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2025-4432). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33055 tar-rs is a tar archive reading/writing library for Rust. Versions 0.4 ...
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-33055). Fix: Update that package to its patched version.
  • Worth fixing CVE-2026-33056 tar-rs: tar-rs: Arbitrary directory permission modification via crafted tar archive
    Cargo.lock
    A package you depend on has a known security hole (CVE-2026-33056). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8qv2-5vq6-g2g7 webpki: CPU denial of service in certificate path building
    Cargo.lock
    A package you depend on has a known security hole (GHSA-8qv2-5vq6-g2g7). Fix: Update that package to its patched version.
  • Minor GHSA-g98v-hv3f-hcfr atty potential unaligned read
    Cargo.lock
    A package you depend on has a known security hole (GHSA-g98v-hv3f-hcfr). Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    Cargo.lock
    A package you depend on has a known security hole (GHSA-cq8v-f236-94qc). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 23 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing GHSA-r8w9-5wcg-vfj7 Mio's tokens for named pipes may be delivered after deregistration
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-8qv2-5vq6-g2g7 webpki: CPU denial of service in certificate path building
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-g98v-hv3f-hcfr atty potential unaligned read
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0056 adler crate is unmaintained, use adler2 instead
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2021-0145 Potential unaligned read
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0375 `atty` is unmaintained
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0057 fxhash - no longer maintained
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0421 `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-h97m-ww89-6jmq `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0384 `instant` is unmaintained
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0019 Tokens for named pipes may be delivered after deregistration
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0097 Rand is unsound with a custom logger using `rand::rng()`
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0009 Some AES functions may panic when overflow checking is enabled.
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0010 Versions of *ring* prior to 0.17 are unmaintained.
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-4p46-pwfr-66x6 Some AES functions may panic when overflow checking is enabled in ring
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2024-0336 `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0059 servo-fontconfig crate is unmaintained
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0067 `unpack_in` can chmod arbitrary directories by following symlinks
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2026-0068 tar-rs incorrectly ignores PAX size headers if header size is nonzero
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-gchp-q4r4-x4ff tar-rs incorrectly ignores PAX size headers if header size is nonzero
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI GHSA-j4xf-2g29-59ph tar-rs `unpack_in` can chmod arbitrary directories by following symlinks
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2023-0052 webpki: CPU denial of service in certificate path building
    /workdirs/scan-8176994d-388a-4977-b06c-3be058936785/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 12 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 2.7/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 12 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Signed-Releases Signed-Releases scored 0: Project has not signed or included provenance with any releases.
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Vulnerabilities Vulnerabilities scored 0: 15 existing vulnerabilities detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.